diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 4d2aed76e..a3420570b 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -93,6 +93,17 @@ jobs: run: | npm install -g purgecss@8.0.0 purgecss -c purgecss.config.js + - name: Build template PDFs ๐Ÿ“„ + if: github.event_name != 'pull_request' + continue-on-error: true + run: | + npm install -g md-to-pdf@5.2.0 + mkdir -p _site/assets/pdf/templates + for f in _includes/templates/*.md; do + [ -f "$f" ] || continue + base=$(basename "$f" .md) + md-to-pdf "$f" --pdf-options '{"format":"Letter","margin":{"top":"0.75in","right":"0.75in","bottom":"0.75in","left":"0.75in"}}' --dest "_site/assets/pdf/templates/" || echo "PDF gen failed for $f โ€” skipping" + done - name: Deploy ๐Ÿš€ if: github.event_name != 'pull_request' uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4 diff --git a/.gitignore b/.gitignore index 32db5e971..e526f8232 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ _posts/archive assets/archive .superpowers/ claude-changes.log +AGENTS.md diff --git a/_config.yml b/_config.yml index 444668dc7..ff5a42b5a 100644 --- a/_config.yml +++ b/_config.yml @@ -156,6 +156,9 @@ collections: conferences: output: true permalink: /cybersecurity-calendar/:title/ + templates: + output: true + permalink: /templates/:title/ # ----------------------------------------------------------------------------- # Jekyll settings diff --git a/_data/learning_paths.yml b/_data/learning_paths.yml new file mode 100644 index 000000000..fc2320657 --- /dev/null +++ b/_data/learning_paths.yml @@ -0,0 +1,205 @@ +# Learning paths for /start/. Each path = persona + ordered steps. +# step.kind: "explained" (article from _explained), "tool" (from /tools/), +# "external" (off-site link), "checkpoint" (review milestone). +# step.url is required for explained/tool/external; optional for checkpoint. + +- id: new-to-cyber + title: New to Cybersecurity + audience: For curious beginners with no prior background. + icon: seedling + description: > + Build a working mental model of how attacks happen and how defenders + respond. No tools, no jargon โ€” start here, then branch into a role. + goal: Understand the basics; protect your own accounts and devices. + duration: ~45 min reading + steps: + - kind: explained + title: The CIA Triad + url: /explained/cia-triad/ + desc: The three security goals every control maps back to. + - kind: explained + title: Strong Passwords + url: /explained/strong-passwords/ + desc: Why length beats complexity and how attackers crack weak ones. + - kind: explained + title: Password Managers + url: /explained/password-managers/ + desc: One vault, unique passwords, no reuse. + - kind: explained + title: Multi-Factor Authentication + url: /explained/two-factor-authentication/ + desc: Even a leaked password should not be enough. + - kind: explained + title: Phishing & Social Engineering + url: /explained/social-engineering/ + desc: Most breaches start with a person, not a zero-day. + - kind: explained + title: Malware + url: /explained/malware/ + desc: Viruses, worms, trojans โ€” what they are and how they spread. + - kind: explained + title: Ransomware + url: /explained/ransomware/ + desc: The dominant criminal threat to small organizations today. + - kind: explained + title: Backups + url: /explained/backups/ + desc: The single most cost-effective ransomware control. + - kind: checkpoint + title: Personal Hardening Checklist + desc: Pick a password manager, turn on MFA on email + bank + work, set up backups for one important folder. Then continue. + +- id: blue-team-analyst + title: Blue Team Analyst + audience: For aspiring SOC analysts or working defenders. + icon: shield-check + description: > + Move from concepts to daily operations: vulnerability triage, IOC + research, log review, and incident response. + goal: Be able to triage a CVE, look up an IP, and read a hash result. + duration: ~90 min + tool practice + steps: + - kind: explained + title: CVEs & CVSS Scoring + url: /explained/cve-cvss/ + desc: How vulnerabilities get IDs and how severity is scored. + - kind: explained + title: EPSS โ€” Exploit Likelihood + url: /explained/epss/ + desc: Why CVSS alone is not enough and where EPSS fits. + - kind: tool + title: EPSS Scanner + url: /epss/ + desc: Look up a real CVE โ€” try CVE-2021-44228 (Log4Shell). + - kind: explained + title: Patch Management + url: /explained/patch-management/ + desc: Turn vulnerability data into a patching cadence. + - kind: explained + title: Attack Surface + url: /explained/attack-surface/ + desc: What you expose is what you have to defend. + - kind: explained + title: Incident Response + url: /explained/incident-response/ + desc: The PICERL lifecycle โ€” Prepare, Identify, Contain, Eradicate, Recover, Lessons. + - kind: tool + title: IP Reputation + url: /tools/ip-reputation/ + desc: Pivot a suspicious IP across multiple intel sources. + - kind: tool + title: Hash Lookup + url: /tools/hash-lookup/ + desc: Identify whether a file hash is known-good (NSRL) or known-malicious. + - kind: explained + title: OSINT + url: /explained/osint/ + desc: Open-source intelligence techniques for analysts. + - kind: explained + title: Red Team vs Blue Team + url: /explained/red-blue-team/ + desc: How offense and defense work together (purple teaming). + - kind: tool + title: Blue Team Hub + url: /blue-team/ + desc: Bookmark this โ€” it is your daily toolkit landing page. + +- id: it-leader + title: IT Leader + audience: For directors, managers, and architects shaping security strategy. + icon: chess-king + description: > + Frameworks and architectural primitives for building a defensible + program. Light on tools, heavy on principles and tradeoffs. + goal: Speak fluently about zero trust, segmentation, and supply chain risk. + duration: ~70 min reading + steps: + - kind: explained + title: The CIA Triad + url: /explained/cia-triad/ + desc: The vocabulary every policy and control maps to. + - kind: explained + title: Least Privilege + url: /explained/least-privilege/ + desc: The single most leveraged architectural control. + - kind: explained + title: Zero Trust + url: /explained/zero-trust/ + desc: Never trust, always verify โ€” and what that means in practice. + - kind: explained + title: Network Segmentation + url: /explained/network-segmentation/ + desc: Containing blast radius when (not if) something gets in. + - kind: explained + title: Multi-Factor Authentication + url: /explained/mfa-apps/ + desc: Choosing app-based MFA over SMS โ€” why and how to roll out. + - kind: explained + title: Supply Chain Attacks + url: /explained/supply-chain-attacks/ + desc: SolarWinds-class risk and how to reason about vendor dependencies. + - kind: explained + title: Patch Management + url: /explained/patch-management/ + desc: The operational reality behind a "patched" environment. + - kind: explained + title: Incident Response + url: /explained/incident-response/ + desc: Tabletop exercise material for your leadership team. + - kind: explained + title: Backups + url: /explained/backups/ + desc: Your final, tested control against ransomware. + - kind: checkpoint + title: Strategy Review + desc: Map each principle to one control already in place and one gap. That is your next quarter's roadmap. + +- id: small-business + title: Small Business Owner + audience: For owners and operators of teams under ~50 people. + icon: building-store + description: > + Get the highest-leverage controls in place without a full-time + security team. Focused on email, accounts, and recovery. + goal: Reach a defensible baseline you can re-audit annually. + duration: ~50 min reading + 1 hour setup + steps: + - kind: explained + title: Strong Passwords + url: /explained/strong-passwords/ + desc: "Issue: most breaches start with credential reuse." + - kind: explained + title: Password Managers + url: /explained/password-managers/ + desc: Pick one. Roll it to the team. Done. + - kind: explained + title: Multi-Factor Authentication (App-Based) + url: /explained/mfa-apps/ + desc: Free, fast, blocks ~99% of credential-stuffing attempts. + - kind: explained + title: Email Spoofing + url: /explained/emailspoofing/ + desc: SPF, DKIM, DMARC โ€” the cheapest brand-protection wins. + - kind: explained + title: Business Email Compromise + url: /explained/business-email-compromise/ + desc: Wire-fraud loss vector โ€” train staff and add an out-of-band check. + - kind: explained + title: Ransomware + url: /explained/ransomware/ + desc: Worst-case scenario you must plan for. + - kind: explained + title: Backups + url: /explained/backups/ + desc: Tested, off-site, immutable if possible. + - kind: explained + title: Social Engineering + url: /explained/social-engineering/ + desc: Brief your team โ€” a 30-minute talk pays for itself. + - kind: explained + title: Patch Management + url: /explained/patch-management/ + desc: Auto-update everything you can. Track the rest in a spreadsheet. + - kind: checkpoint + title: Annual Re-Audit + desc: Schedule the next review for one year out. The threat landscape moves; your baseline must too. diff --git a/_data/tools.yml b/_data/tools.yml new file mode 100644 index 000000000..790a5892b --- /dev/null +++ b/_data/tools.yml @@ -0,0 +1,100 @@ +# Tools landing page data โ€” drives _pages/tools.md grouping. +# Each group renders as a section with .djb-card tiles. + +- group: Vulnerability Management + slug: vuln-mgmt + description: Triage and prioritize vulnerabilities by real-world exploit likelihood. + icon: shield-half-filled + tools: + - name: EPSS Scanner + url: /epss/ + description: Look up Exploit Prediction Scoring System (EPSS) scores for any CVE, with 30-day history and CISA KEV cross-reference. + action: Launch + status: active + +- group: Web Security + slug: web-security + description: Inspect live web applications for missing protections. + icon: lock + tools: + - name: Header Analyzer + url: /tools/header-analyzer/ + description: Inspect HTTP security headers and surface missing protections (CSP, HSTS, X-Frame-Options, Permissions-Policy). + action: Launch + status: active + +- group: OSINT & Intel + slug: osint + description: Reputation, attribution, and adversary research from open sources. + icon: world-search + tools: + - name: IP Reputation + url: /tools/ip-reputation/ + description: Query IPs against AbuseIPDB, GreyNoise, and other threat-intel sources in one shot. + action: Launch + status: active + - name: OSINT Search + url: /cybersearch/ + description: Curated OSINT and cybersecurity-focused search engines for threat intelligence research. + action: Open + status: active + - name: MITRE ATT&CK + url: https://attack.mitre.org/ + description: Globally accessible knowledge base of adversary tactics, techniques, and procedures. + action: Open + external: true + status: active + +- group: Forensics & Analysis + slug: forensics + description: Identify files, hashes, and indicators of compromise. + icon: fingerprint + tools: + - name: Hash Lookup + url: /tools/hash-lookup/ + description: Check MD5/SHA-1/SHA-256 hashes against CIRCL Hashlookup (NSRL known-good and known-malicious). + action: Launch + status: active + - name: Log Analyzer + url: "#" + description: Parse common log formats (Apache, Nginx, syslog, JSON-lines) to surface suspicious patterns and IOCs. + action: In development + status: planned + +- group: Threat Mapping + slug: maps + description: Real-time threat telemetry and global attack visualization. + icon: map-2 + tools: + - name: Threat Maps + url: /maps/ + description: Curated set of live threat maps from major vendors and security feeds. + action: Open + status: active + +- group: AI & Prompt Engineering + slug: ai + description: Prompts and AI tooling for daily security work. + icon: sparkles + tools: + - name: AI Tools & Prompts + url: /ai-tools-prompts/ + description: Hand-tuned prompts for ChatGPT and Copilot covering policy drafting, log analysis, and incident triage. + action: Open + status: active + +- group: Hubs + slug: hubs + description: Themed landing pages that group tools by audience. + icon: layout-grid + tools: + - name: Blue Team + url: /blue-team/ + description: Defender-focused tool index with quick-start workflow. + action: Open + status: active + - name: Red Team + url: /red-team/ + description: Offensive testing reference (read-only resource list). + action: Open + status: active diff --git a/_includes/subscribe-cta.html b/_includes/subscribe-cta.html new file mode 100644 index 000000000..bc4180546 --- /dev/null +++ b/_includes/subscribe-cta.html @@ -0,0 +1,39 @@ +
+
+ + +
+
+ + RSS + + {% if site.data.socials.linkedin_username %} + + LinkedIn + + {% endif %} + {% if site.data.socials.github_username %} + + GitHub + + {% endif %} + {% if site.data.socials.youtube_id %} + + YouTube + + {% endif %} + {% if site.data.socials.tiktok_username %} + + TikTok + + {% endif %} +
+ + {% if site.newsletter.enabled and site.newsletter.endpoint %} +
+ + + +
+ {% endif %} +
diff --git a/_includes/templates/executive-cyber-briefing.md b/_includes/templates/executive-cyber-briefing.md new file mode 100644 index 000000000..4c0fe4556 --- /dev/null +++ b/_includes/templates/executive-cyber-briefing.md @@ -0,0 +1,82 @@ +# Executive Cyber Briefing Template + +A monthly or quarterly report template for non-technical executives, board members, or business owners. Aim for 2 pages. Replace the bracketed prompts with current state. + +--- + +## 1. One-line summary (TL;DR) + +> [Current posture in one sentence. Example: "Posture is stable; one high-severity issue under remediation; phishing volume up 18% this month."] + +## 2. Risk dashboard + +| Area | Status | Change vs last period | Notes | +|------|--------|----------------------|-------| +| Vulnerability remediation | ๐ŸŸข / ๐ŸŸก / ๐Ÿ”ด | โ–ฒ / โ–ฌ / โ–ผ | [Open critical CVEs aging > SLA] | +| Identity & access | ๐ŸŸข / ๐ŸŸก / ๐Ÿ”ด | โ–ฒ / โ–ฌ / โ–ผ | [MFA coverage %] | +| Endpoint protection | ๐ŸŸข / ๐ŸŸก / ๐Ÿ”ด | โ–ฒ / โ–ฌ / โ–ผ | [EDR coverage, last 30d incidents] | +| Email security | ๐ŸŸข / ๐ŸŸก / ๐Ÿ”ด | โ–ฒ / โ–ฌ / โ–ผ | [Phishing reports, BEC attempts] | +| Backups & recovery | ๐ŸŸข / ๐ŸŸก / ๐Ÿ”ด | โ–ฒ / โ–ฌ / โ–ผ | [Last successful restore test] | +| Third-party / vendor | ๐ŸŸข / ๐ŸŸก / ๐Ÿ”ด | โ–ฒ / โ–ฌ / โ–ผ | [SOC 2 expirations, new vendors] | + +๐ŸŸข within tolerance ยท ๐ŸŸก watch ยท ๐Ÿ”ด action required + +## 3. What changed this period + +**Improvements** +- [Concrete win, e.g., "Rolled out app-based MFA to remaining 12% of staff"] +- [Concrete win] + +**Setbacks or new risks** +- [Issue + business impact + plan + ETA] +- [Issue + business impact + plan + ETA] + +## 4. Incidents + +| Date | Severity | Summary | Status | +|------|----------|---------|--------| +| [YYYY-MM-DD] | [Low/Med/High/Crit] | [One sentence] | [Open / Contained / Closed] | + +If zero incidents: state that explicitly. Boards distrust silence. + +## 5. Threat landscape (external) + +Two or three items relevant to *our* industry, vendors, or geography. Avoid generic news. + +- **[Threat or trend]** โ€” [What it means for us specifically. What we are doing about it.] +- **[Threat or trend]** โ€” [Same.] + +## 6. Decisions requested + +If nothing is needed: say so. Otherwise: + +- [ ] **Decision:** [What you need approved] โ€” **Cost:** [$ or FTE] โ€” **Impact if no:** [What breaks or stalls] +- [ ] **Decision:** ... + +## 7. Spend snapshot + +| Line item | Budget | Spent YTD | Forecast variance | +|-----------|--------|-----------|-------------------| +| Tools & subscriptions | | | | +| Headcount | | | | +| Training & certifications | | | | +| Incident response retainer | | | | +| Insurance (cyber) | | | | + +## 8. Next quarter focus + +Three items, not ten. Each item = title + outcome + owner + target date. + +1. **[Initiative]** โ€” [Outcome statement] โ€” [Owner] โ€” [Date] +2. ... +3. ... + +--- + +## Tone notes (delete before sending) + +- Use plain English. "Critical CVE on Fortinet edge" โ†’ "Vendor-reported flaw on our perimeter firewall, patch in next 48h." +- Quantify whenever possible. "We blocked 14,000 phishing emails this month, up from 11,500 last month." +- Don't bury bad news. Lead with it, then the plan. +- Map every spend item to a risk it reduces. If you can't, question the spend. +- Color in dashboards is for at-a-glance; keep one-line annotations explaining the color. diff --git a/_includes/templates/incident-response-checklist.md b/_includes/templates/incident-response-checklist.md new file mode 100644 index 000000000..cc7de2a90 --- /dev/null +++ b/_includes/templates/incident-response-checklist.md @@ -0,0 +1,79 @@ +# Incident Response Checklist + +A working checklist based on the SANS / NIST PICERL lifecycle. Use this in real-time during an incident, or as a tabletop guide. + +## 1. Prepare (before anything happens) + +- [ ] On-call rotation documented; primary + backup names known +- [ ] Comms tree: who to call (legal, exec, PR, insurance, MSSP, IR retainer) +- [ ] Out-of-band comms channel ready (Signal group, separate Slack workspace) โ€” assume primary is compromised +- [ ] Decision-tree authority: who can authorize containment that takes services offline? +- [ ] Logs centralized and at least 90 days deep +- [ ] Recent backup test: when was the last successful restore drill? +- [ ] IR retainer or hotline number on file + +## 2. Identify + +- [ ] Source of detection logged (alert, user report, third party, threat-intel feed) +- [ ] Initial timestamp recorded (UTC) +- [ ] Affected systems enumerated: hostname, IP, owner, criticality +- [ ] Indicator of Compromise (IOC) noted: file hash, IP, domain, behavior +- [ ] Severity assigned (Low / Med / High / Critical) โ€” re-evaluate hourly +- [ ] Incident ticket opened; ticket ID broadcast to responders +- [ ] Initial scoping question: data exfil, destructive, persistence, or recon? + +## 3. Contain + +Short-term: + +- [ ] Isolate affected hosts (network quarantine, not power-off โ€” preserve volatile evidence) +- [ ] Disable compromised credentials (rotate, revoke MFA tokens, kill active sessions) +- [ ] Block known IOCs at perimeter (firewall, DNS, EDR) +- [ ] Take memory + disk image of at least one affected host before reboot + +Long-term: + +- [ ] Patch / reconfigure to prevent re-entry on the same vector +- [ ] Increase logging and monitoring on adjacent systems +- [ ] Push EDR / IDS rule updates derived from observed IOCs + +## 4. Eradicate + +- [ ] Remove malware (re-image is safer than clean โ€” clean only if you're certain) +- [ ] Reset all credentials with potential exposure +- [ ] Rotate any leaked secrets (API keys, certificates, service accounts) +- [ ] Verify persistence mechanisms removed: scheduled tasks, services, registry run keys, web shells, SSH keys, cron jobs + +## 5. Recover + +- [ ] Restore from clean backup (verified-clean โ€” confirm pre-incident timestamp) +- [ ] Phased return to production (canary first, then full) +- [ ] Heightened monitoring for at least 30 days +- [ ] Confirm normal business function with affected business owners + +## 6. Lessons Learned (within 2 weeks) + +- [ ] Post-incident review meeting scheduled +- [ ] Timeline document: what we knew when, what we did when +- [ ] Root cause: technical AND organizational +- [ ] Detection gap: would we catch this faster next time? What instrumentation is missing? +- [ ] Action items logged in a tracker โ€” owner + date for each +- [ ] Controls / playbook updates committed +- [ ] Tabletop scenario drafted from the incident for next training cycle + +## Severity Quick Reference + +| Level | Examples | Response Time | +|-------|----------|---------------| +| Critical | Data exfil confirmed; ransomware spreading; production down | Immediate, all hands | +| High | Single-host compromise; phishing with credential theft | < 1 hour | +| Medium | Suspicious activity, no confirmed compromise | < 4 hours | +| Low | Failed exploit attempts; benign anomaly | Next business day | + +## Communication Templates + +**Internal first message:** +> We are investigating a potential security incident affecting [systems]. The incident ticket is [ID]. Please [specific instruction โ€” e.g., do not log into X]. Updates every 30 minutes. + +**Hold-line (don't have facts yet):** +> We are aware of [event]. We are currently investigating. We will share verified details as we have them. Avoid speculating internally or externally until we confirm. diff --git a/_includes/templates/mfa-rollout-checklist.md b/_includes/templates/mfa-rollout-checklist.md new file mode 100644 index 000000000..b57affa75 --- /dev/null +++ b/_includes/templates/mfa-rollout-checklist.md @@ -0,0 +1,77 @@ +# MFA Rollout Checklist + +Multi-factor authentication is the single highest-ROI control for most organizations. This checklist takes you from "MFA on a few admin accounts" to "MFA on every authentication path that matters." + +## Phase 0 โ€” Pre-flight + +- [ ] Inventory all authentication systems (IdP, VPN, email, finance, HR, code repo, cloud consoles, RDP/SSH gateways, customer-facing apps with admin functions) +- [ ] Identify dependencies: which systems federate to your IdP? Which are standalone? +- [ ] Choose factor types in priority order: + 1. **FIDO2 / WebAuthn (security keys, platform passkeys)** โ€” phishing-resistant, ideal for admins + 2. **App-based TOTP / push (Authy, Microsoft Authenticator, Duo, Okta Verify)** โ€” strong, low friction + 3. **SMS / email OTP** โ€” only as fallback; vulnerable to SIM swap +- [ ] Pilot group selected (~10% of users, mix of technical and non-technical) +- [ ] Communications plan drafted: announcement, how-to, help-desk macro +- [ ] Help desk staffed for first-week spike +- [ ] Recovery / backup process defined (admin-assisted reset, recovery codes) +- [ ] Lost-device procedure documented + +## Phase 1 โ€” Privileged accounts (week 1) + +Scope: domain admins, root/sudo on prod, cloud admins, security team, finance approvers, anyone with `*` permissions anywhere. + +- [ ] Hardware security keys procured (YubiKey 5 or equivalent โ€” 2 per admin: primary + backup) +- [ ] Recovery codes generated, printed, sealed in tamper-evident envelopes, stored in safe +- [ ] FIDO2 enforced on IdP for privileged groups +- [ ] Break-glass account documented separately (paper, in safe; not in password manager that could be locked out) +- [ ] Audit log review: any admin auth that bypassed MFA in the last 30 days? + +## Phase 2 โ€” Email and IdP for all users (weeks 2โ€“3) + +- [ ] Enrollment self-service portal published +- [ ] Deadline set (~14 days from announcement) +- [ ] Daily report of unenrolled users to managers +- [ ] Conditional access: enforce MFA on all sign-ins; allow exceptions only with documented business reason and expiry date +- [ ] Legacy / basic auth disabled on email (single biggest BEC mitigation) +- [ ] OAuth tokens / app passwords audited; revoke unused + +## Phase 3 โ€” VPN and remote access (week 4) + +- [ ] VPN client integrated with IdP (so MFA flows through) +- [ ] RDP / SSH jump hosts behind MFA-protected gateway +- [ ] No direct internet exposure of management interfaces (admin panels, jump hosts) + +## Phase 4 โ€” Business apps (weeks 5โ€“8) + +For each SaaS / line-of-business app: + +- [ ] SSO via IdP (preferred โ€” inherits MFA) +- [ ] If no SSO: app-native MFA enabled and enforced +- [ ] If neither: document the gap, set a deprecation or migration date + +## Phase 5 โ€” Customer-facing (if applicable) + +- [ ] Optional MFA enabled for end users +- [ ] Required MFA for any customer with elevated permissions (admin role, financial actions) +- [ ] Risk-based MFA challenges: new device, geographic anomaly, high-value action + +## Verification + +- [ ] Run a phishing simulation against a small set of users; confirm credentials alone fail without MFA +- [ ] Confirm reporting dashboard shows enrollment % per group +- [ ] Confirm break-glass works (test in pre-prod if possible) + +## Common pitfalls + +- **SMS for admins:** SIM-swap is real. Use FIDO2 for anyone with privileged access. +- **No backup factor:** every user needs at least 2 factors registered, or recovery becomes a help-desk nightmare. +- **Push fatigue:** number-matching on push apps prevents accidental approval. Turn it on if your app supports it. +- **Service accounts:** never put a human's MFA on a service account. Use proper machine identity (cert, managed identity, OIDC). +- **Legacy protocols:** SMTP basic auth, IMAP, POP3, NTLM, LDAP simple bind โ€” disable wholesale, exception by exception. + +## Maintenance + +- [ ] Quarterly review of MFA exceptions +- [ ] Quarterly review of users with no MFA factors registered +- [ ] Annual replacement / inventory of hardware keys +- [ ] Annual phishing simulation including MFA-bypass scenarios (consent phishing, push fatigue) diff --git a/_includes/templates/security-headers-checklist.md b/_includes/templates/security-headers-checklist.md new file mode 100644 index 000000000..c7b9d2018 --- /dev/null +++ b/_includes/templates/security-headers-checklist.md @@ -0,0 +1,101 @@ +# HTTP Security Headers Checklist + +Quick-reference for production web applications. Run the [Header Analyzer](/tools/header-analyzer/) tool against your site to confirm. + +## Required (high impact, low effort) + +### Strict-Transport-Security (HSTS) + +``` +Strict-Transport-Security: max-age=31536000; includeSubDomains; preload +``` + +- [ ] `max-age` is at least one year (31536000 seconds) +- [ ] `includeSubDomains` set if all subdomains are HTTPS +- [ ] `preload` directive set and site submitted to hstspreload.org (only after first two confirmed) + +### Content-Security-Policy (CSP) + +``` +Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-RANDOM'; style-src 'self'; img-src 'self' data: https:; object-src 'none'; base-uri 'self'; frame-ancestors 'none' +``` + +- [ ] `default-src 'self'` baseline +- [ ] No `'unsafe-inline'` for `script-src`; use nonces or hashes +- [ ] `object-src 'none'` (kills Flash / legacy plugin attacks) +- [ ] `frame-ancestors 'none'` (replaces X-Frame-Options) +- [ ] CSP report-uri or report-to configured for monitoring + +### X-Content-Type-Options + +``` +X-Content-Type-Options: nosniff +``` + +- [ ] Set on every response. No exceptions. + +### Referrer-Policy + +``` +Referrer-Policy: strict-origin-when-cross-origin +``` + +- [ ] Default `strict-origin-when-cross-origin` is safe for most apps +- [ ] Use `no-referrer` if your app must not leak Referer at all + +### Permissions-Policy + +``` +Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=() +``` + +- [ ] Disable browser features the app does not use +- [ ] `interest-cohort=()` opts out of FLoC-style tracking (legacy but cheap) + +## Cookie Flags + +For every Set-Cookie: + +- [ ] `Secure` โ€” HTTPS-only +- [ ] `HttpOnly` โ€” not readable by JavaScript (for session/auth cookies) +- [ ] `SameSite=Lax` minimum; `SameSite=Strict` if cross-site links don't need session +- [ ] `__Host-` prefix on session cookies (binds to exact origin, requires Secure + Path=/) + +## Headers to REMOVE + +- [ ] `Server` โ€” strips version disclosure (e.g., `Server: Apache/2.4.41`) +- [ ] `X-Powered-By` โ€” strips backend disclosure (e.g., `X-Powered-By: PHP/7.4.3`) +- [ ] `X-AspNet-Version`, `X-AspNetMvc-Version` +- [ ] `X-Generator` if it leaks framework version + +## Legacy / Deprecated (set if needed for old browsers) + +- [ ] `X-Frame-Options: DENY` โ€” only for old browsers; CSP `frame-ancestors` supersedes +- [ ] `X-XSS-Protection: 0` โ€” explicitly disable; modern advice is to OFF the header (it caused vulns) + +## CORS (only if your app needs it) + +- [ ] `Access-Control-Allow-Origin` is **never** `*` for authenticated APIs +- [ ] Allow-list specific origins +- [ ] `Access-Control-Allow-Credentials: true` only with explicit origin (not wildcard) +- [ ] `Access-Control-Max-Age` set to limit preflight chatter + +## Verification Workflow + +1. Deploy headers in **report-only** mode where supported (`Content-Security-Policy-Report-Only`) +2. Watch reports for 1โ€“2 weeks; tighten policy +3. Promote to enforcing mode +4. Re-test with [Header Analyzer](/tools/header-analyzer/) and Mozilla Observatory +5. Document baseline; any future deviation requires a ticket + +## Score Targets + +| Tool | Minimum | Target | +|------|---------|--------| +| Mozilla Observatory | B+ | A+ | +| securityheaders.com | A | A+ | +| Header Analyzer (this site) | All required headers present | All required + no version disclosure | + +--- + +**Reminder:** these headers do not replace input validation, output encoding, authentication, or authorization. They are defense-in-depth. Treat them as the cheapest 10% you must always have set. diff --git a/_includes/templates/vulnerability-triage-worksheet.md b/_includes/templates/vulnerability-triage-worksheet.md new file mode 100644 index 000000000..17d431b32 --- /dev/null +++ b/_includes/templates/vulnerability-triage-worksheet.md @@ -0,0 +1,74 @@ +# Vulnerability Triage Worksheet + +Use this when a new CVE shows up in scanner results, news, or vendor advisory. The goal is to move from "we have 4,000 CVEs" to "we are patching these 12 first" in under 30 minutes per item. + +## Core Identifiers + +- **CVE ID:** ____________________ +- **Vendor / Product:** ____________________ +- **Affected Versions:** ____________________ +- **Disclosed:** ____________________ +- **Vendor Patch Available?** โ˜ Yes โ˜ No โ˜ Mitigation only + +## Severity Inputs + +| Source | Score | Notes | +|--------|-------|-------| +| CVSS v3.1 base | / 10 | | +| CVSS v3.1 environmental | / 10 | Adjusted for our context | +| EPSS (likelihood %) | % | First.org โ€” refresh quarterly | +| CISA KEV listed? | โ˜ Yes โ˜ No | If Yes, treat as critical regardless of CVSS | + +## Exposure Questions + +1. **Is the affected product running in our environment?** + โ˜ Yes โ€” count: ____ โ˜ No โ˜ Unknown +2. **Is it internet-facing?** โ˜ Yes โ˜ No โ˜ Partially +3. **Does the vulnerable feature/endpoint run in our deployment?** + (Many CVEs apply only when a specific module/option is enabled.) +4. **Is authentication required to exploit?** โ˜ Pre-auth โ˜ Auth-required โ˜ Local only +5. **Does the affected system process or store sensitive data?** โ˜ Yes โ˜ No +6. **Is there a working public exploit?** โ˜ POC โ˜ Weaponized โ˜ None known + +## Compensating Controls Already in Place + +- [ ] WAF rule blocks the attack pattern +- [ ] Network segmentation limits blast radius +- [ ] EDR detects the post-exploit behavior +- [ ] IDS/IPS signature deployed +- [ ] Vendor mitigation applied (config change, feature disable) + +## Triage Decision Matrix + +| Internet-facing | KEV / Active exploit | Auth | Decision | +|---|---|---|---| +| Yes | Yes | Pre-auth | **Patch within 24h, emergency change window** | +| Yes | No | Pre-auth | Patch within 7 days | +| Yes | Yes | Auth | Patch within 7 days | +| No | Yes | Pre-auth | Patch within 14 days | +| No | No | Any | Patch in next monthly cycle | +| Any | EPSS > 50% | Any | Bump priority by one tier | + +## Action Plan + +- [ ] **Patch:** scheduled date ____________________ +- [ ] **Mitigate (interim):** control: ____________________ effective date: __________ +- [ ] **Accept risk:** rationale, expiration date, sign-off: ____________________ +- [ ] **Defer:** justification + revisit date: ____________________ + +## Verification + +- [ ] Patch deployed and tested in non-prod +- [ ] Asset inventory updated; affected version no longer present +- [ ] Re-scan confirms remediation +- [ ] Detection rule deployed in case the vector re-emerges + +## Communication + +- Owner: ____________________ +- Stakeholders notified: โ˜ App team โ˜ Risk / Compliance โ˜ Exec +- Ticket / change record: ____________________ + +--- + +**Quick math reminder:** CVSS measures *severity if exploited*. EPSS measures *likelihood of exploitation in the wild*. CISA KEV says *we already have evidence of exploitation*. A CVSS 9.8 with EPSS 0.5% and not in KEV is rarely the most urgent thing on your queue. A CVSS 6.5 in KEV with a public weaponized exploit, on an internet-facing host, often is. diff --git a/_layouts/home.liquid b/_layouts/home.liquid index 0214a8de1..5a8d98985 100644 --- a/_layouts/home.liquid +++ b/_layouts/home.liquid @@ -4,6 +4,7 @@ layout: default {% include home-hero.html %} {% include home-cards.html %} {% include home-conferences.html %} +{% include subscribe-cta.html %}